use_backend seems to get prio…?
Closed this issue · 6 comments
I'm back at trying to set up letsencrypt how I want it. The issue I'm having now is that for the only site I'm allowing http I'm using "use_backend" on the same frontend as the plugin is used. But that seems to interfer with this plugin and gets prio. So for the below http config, there's no problem for the redirected subdomains, but blog.woodenstake.se fails:
frontend http
mode http
bind *:80
option httplog
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy
stats auth viktor:8203101418
# Letsencrypt: https://github.com/janeczku/haproxy-acme-validation-plugin
acl url_acme_http01 path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }
use_backend ghost if { hdr(host) -i blog.woodenstake.se }
Running with virtualenv: /home/viktor/.local/share/letsencrypt/bin/letsencrypt certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se --test-cert --break-my-certs
Failed authorization procedure. blog.woodenstake.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.woodenstake.se/.well-known/acme-challenge/Y4CpPlqq14aONp7Wr6nXcHR2ZGa_3dEtWf49GEzdank [89.253.88.3]: 400
Any idea?
So to be clear: commenting out use_backend ghost if { hdr(host) -i blog.woodenstake.se }
validation goes through.
Oh, I could just make a conjunctive acl:
acl url_acme_challenge path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_challenge
redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }
acl host_blog hdr(host) -i blog.woodenstake.se
use_backend ghost if host_blog !url_acme_challenge
Still struggling with haproxys config language :)
But I wonder why the redirects doesn't bite here though? The validation works for those domains too…
@hedefalk
The use_backend
taking precedence over http-request use-service
is very likely a HAProxy bug worth reporting on the HAProxy mailing list. Great that you found a workaround though! 😄
Still struggling with haproxys config language :)
Totally understandable. HAProxy config has kind of a steep learning curve.